ECDH address

ECDH addresses are also called stealth addresses, reusable payment codes, reusable addresses or paynyms. Elliptic-curve Diffie–Hellman (ECDH) is a key agreement protocol that allows two parties to establish a shared secret over an insecure channel. For example, Alice and Bob can communicate cryptographic information between themselves and agree on a shared secret, Eve the eavesdropper can see _all_ their messages and yet still will not be able to calculate the shared secret.

The concept can be used in a bitcoin context by having the receiver of bitcoin publish some ECDH-information which the sender can use to calculate a shared secret. This shared secret becomes a bitcoin address which the sender sends money to. The receiver can calculate the corresponding private key to have access to the money.

Dual-key ECDH address

Another way of creating a ECDH address system is to have two receiver keypairs. One key has the power to spend the money (spend key) and the other key is for searching (scan key). Then the scan key can be sent to a third-party server to outsource the scanning. The server won't be able to steal any money because it doesn't have the spend key. Needless to say this method is not good for privacy because the server can see track all the transactions on the ECDH address.

Transmitting the nonce point

A tricky part of the ECDH scheme is transmitting the nonce point P from sender to receiver. There are a few different methods for this:

Embedding the nonce point in a OP_RETURN output. This requires the receiver to scan all blocks for check for OP_RETURN outputs and corresponding ECDH payments. It also uses extra block space, and allows estimation of how many ECDH transactions have happened.

Embedding the nonce point in an ECDSA signature. This requires the receiver to scan all blocks for check for ECDH payments. It also damages fungibility slightly by only allowing coins protected by ECDSA to be sent via ECDH.

Delegation of scanning to a third-party server (see above, Dual-key ECDH address). Ruins privacy as the server can track everything.

Embedding the nonce point in an extra transaction (in OP_RETURN) sent to a fixed address belonging to the receiver. This allows the receiver to outsource scanning to a server which watches the fixed address. The server can count the number of ECDH transactions but not easily track their amount, source or destination. This also uses extra block space.

ECDH addresses therefore require either a costly scan process of the entire blockchain, delegation to a third-party server which can spy on transactions, an extra step of interactivity or using the blockchain as a messaging medium.

However ECDH addresses do not solve all privacy problems as they are still vulnerable to mystery shopper payments; an adversary can donate some bitcoins and watch on the blockchain to see where they go afterwards, using heuristics like the common-input-ownership heuristic to obtain more information such as donation volume and final destination of funds.

Historically it has been very hard and slow to get the bitcoin ecosystem to adopt a new address type.

BIP47

BIP47 is a standard for ECDH address (the BIP calls them Reusable Payment Codes). It transmits the nonce in an extra transaction with a OP_RETURN output.

The comments on the BIP47 document unanimously discourage its implementation[1]